Review: Beginning ASP.NET Security
We all want our websites to be secure. We always think this when we start to write one. And then, after we’ve implemented some 90% of it, we start to wonder whether or not anything we’ve written is actually as secure as a very secure vault based on the moon or as secure as the drunk in the pub with informational diarrhoea. And, having decided the latter, we make a hasty attempt to obfuscate our code, prevent injection attacks, maybe encrypt a few things and generally make ourselves feel better about it, not knowing how well we’ve covered our backs, if at all.
Developing secure applications, be they desktop- or web-based, requires us to do two things:
- Be aware of potential vulnerabilities in our code * Include and work to prevent these security issues throughout development.
Now Beginning ASP.NET Security can’t make you change your development process, but what it does do with aplomb is bring you up to speed with common potential vulnerabilities to your website, best practices to avoid them and, where applicable, how to keep up to date with new developments.
With sixteen chapters covering basic page-coding, common ASP.NET framework tasks, and finally tasks out in IIS and .NET as a whole, the book is concise, clearly written, and, most importantly, emphasizes that coding securely isn’t as hard or as time-consuming as you might otherwise have thought. On the other hand, it will also highlight the number of flaws in your previous sites you didn’t even realise were there. You might subtitle this book “Or Why I Learned To Stop Worrying And Get On With Plugging My Security Holes.”
As a former stalwart speaker around UK user groups on Security and now newly resident in Seattle working for the MS Information Security team [http://blogs.msdn.com/securitytools/archive/2010/03/24/the-web-protection-library-plans-and-processes.aspx] , Barry Dorrans has been passing his security knowledge on to we Brits for ages and it shows. Each chapter is written around an individual security problem you’ll most likely need to attend to before releasing your website live. The crux of the problem is described and, where possible / legal, examples given of how it can be exploited, before solutions are given, often as easy-to-reuse code or instructions you can implement in your own projects. To his credit, it’s only in the chapter on hashing and encryption where readers may well get bogged down in the theory of it all, but then again, it’s the chapter on hashing and encryption so a fair amount of that should be expected and there’s perhaps more plain English here than other attempts have managed.
All in all, Beginning ASP.NET Security is a great book to have in your reference library. It’s confidence boosting because what security measures you may have put in place before will be verified (or corrected) in its pages and those you didn’t know already soon will be in place - another good set of pro-points to put forward to potential clients during that all-important pitch. There are niggles sure but they are slowly being addressed as Barry releases errata notes [http://idunno.org/Tags/Errata/default.aspx] on his blog.
Final score 8/10 - well worth the money.
From Amazon UK [http://www.amazon.co.uk/exec/obidos/ASIN/0470743654/hmobiuscom-21] - From Amazon US [http://www.amazon.com/exec/obidos/ASIN/0470743654/hmobiuscom-20]Posted on May 2, 2010 #Book Reviews